Bugzilla – Attachment 1334 Details for
Bug 20657
audit2allow生成selinux策略报错
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
audit2allow报错的复现过程。
audit2allow报错的复现过程 (text/plain), 13.24 KB, created by
liquan
on 2025-04-24 16:36:32 UTC
(
hide
)
Description:
audit2allow报错的复现过程。
Filename:
MIME Type:
Creator:
liquan
Created:
2025-04-24 16:36:32 UTC
Size:
13.24 KB
patch
obsolete
>[root@anolis810 ~]# yum install -y selinux-policy-mls policycoreutils-python-utils >AnolisOS-8 - Kernel 5.10 65 kB/s | 3.8 kB 00:00 >Dependencies resolved. >====================================================================================================================== > Package Architecture Version Repository Size >====================================================================================================================== >Installing: > policycoreutils-python-utils noarch 2.9-26.an8 BaseOS 253 k > selinux-policy-mls noarch 3.14.3-139.0.1.an8.1 BaseOS 7.4 M >Installing dependencies: > checkpolicy x86_64 2.9-1.el8 BaseOS 345 k > mcstrans x86_64 2.9-2.0.1.an8 BaseOS 135 k > policycoreutils-newrole x86_64 2.9-26.an8 BaseOS 199 k > python3-audit x86_64 3.1.2-1.0.1.an8 BaseOS 87 k > python3-libsemanage x86_64 2.9-11.0.1.an8 BaseOS 128 k > python3-policycoreutils noarch 2.9-26.an8 BaseOS 2.3 M > python3-setools x86_64 4.3.0-5.an8 BaseOS 626 k > >Transaction Summary >====================================================================================================================== >Install 9 Packages > >Total download size: 11 M >Installed size: 27 M >Downloading Packages: >(1/9): policycoreutils-newrole-2.9-26.an8.x86_64.rpm 693 kB/s | 199 kB 00:00 >(2/9): mcstrans-2.9-2.0.1.an8.x86_64.rpm 426 kB/s | 135 kB 00:00 >(3/9): checkpolicy-2.9-1.el8.x86_64.rpm 1.0 MB/s | 345 kB 00:00 >(4/9): python3-audit-3.1.2-1.0.1.an8.x86_64.rpm 709 kB/s | 87 kB 00:00 >(5/9): policycoreutils-python-utils-2.9-26.an8.noarch.rpm 1.6 MB/s | 253 kB 00:00 >(6/9): python3-libsemanage-2.9-11.0.1.an8.x86_64.rpm 767 kB/s | 128 kB 00:00 >(7/9): python3-setools-4.3.0-5.an8.x86_64.rpm 1.5 MB/s | 626 kB 00:00 >(8/9): python3-policycoreutils-2.9-26.an8.noarch.rpm 4.6 MB/s | 2.3 MB 00:00 >(9/9): selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch.rpm 6.7 MB/s | 7.4 MB 00:01 >---------------------------------------------------------------------------------------------------------------------- >Total 6.8 MB/s | 11 MB 00:01 >Running transaction check >Transaction check succeeded. >Running transaction test >Transaction test succeeded. >Running transaction > Preparing : 1/1 > Installing : python3-setools-4.3.0-5.an8.x86_64 1/9 > Installing : python3-libsemanage-2.9-11.0.1.an8.x86_64 2/9 > Installing : python3-audit-3.1.2-1.0.1.an8.x86_64 3/9 > Installing : policycoreutils-newrole-2.9-26.an8.x86_64 4/9 > Installing : mcstrans-2.9-2.0.1.an8.x86_64 5/9 > Running scriptlet: mcstrans-2.9-2.0.1.an8.x86_64 5/9 > Installing : checkpolicy-2.9-1.el8.x86_64 6/9 > Installing : python3-policycoreutils-2.9-26.an8.noarch 7/9 > Installing : policycoreutils-python-utils-2.9-26.an8.noarch 8/9 > Running scriptlet: selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch 9/9 > Installing : selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch 9/9 > Running scriptlet: selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch 9/9 > Verifying : checkpolicy-2.9-1.el8.x86_64 1/9 > Verifying : mcstrans-2.9-2.0.1.an8.x86_64 2/9 > Verifying : policycoreutils-newrole-2.9-26.an8.x86_64 3/9 > Verifying : policycoreutils-python-utils-2.9-26.an8.noarch 4/9 > Verifying : python3-audit-3.1.2-1.0.1.an8.x86_64 5/9 > Verifying : python3-libsemanage-2.9-11.0.1.an8.x86_64 6/9 > Verifying : python3-policycoreutils-2.9-26.an8.noarch 7/9 > Verifying : python3-setools-4.3.0-5.an8.x86_64 8/9 > Verifying : selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch 9/9 > >Installed: > checkpolicy-2.9-1.el8.x86_64 mcstrans-2.9-2.0.1.an8.x86_64 > policycoreutils-newrole-2.9-26.an8.x86_64 policycoreutils-python-utils-2.9-26.an8.noarch > python3-audit-3.1.2-1.0.1.an8.x86_64 python3-libsemanage-2.9-11.0.1.an8.x86_64 > python3-policycoreutils-2.9-26.an8.noarch python3-setools-4.3.0-5.an8.x86_64 > selinux-policy-mls-3.14.3-139.0.1.an8.1.noarch > >Complete! >[root@anolis810 ~]# sed -i "s#SELINUX\=disabled#SELINUX\=permissive#" /etc/selinux/config >[root@anolis810 ~]# sed -i "s#SELINUXTYPE\=targeted#SELINUXTYPE\=mls#" /etc/selinux/config >[root@anolis810 ~]# systemctl enable auditd >Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service â /usr/lib/systemd/system/auditd.service. >[root@anolis810 ~]# fixfiles -F onboot >System will relabel on next boot >[root@anolis810 ~]# reboot > >Last login: Thu Apr 24 11:31:23 2025 from 192.168.10.1 >[root@anolis810 ~]# grep 'denied' /var/log/audit/audit.log |head >type=AVC msg=audit(1745483528.284:33): avc: denied { watch } for pid=812 comm="systemd-logind" path="/run/utmp" dev="tmpfs" ino=518 scontext=system_u:system_r:systemd_logind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1 >type=AVC msg=audit(1745483528.895:34): avc: denied { watch } for pid=808 comm="dbus-daemon" path="/usr/share/dbus-1/system.d" dev="dm-0" ino=68269914 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 >type=AVC msg=audit(1745483528.895:35): avc: denied { watch } for pid=808 comm="dbus-daemon" path="/etc/dbus-1/system.d" dev="dm-0" ino=695996 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=1 >type=AVC msg=audit(1745483530.442:39): avc: denied { integrity } for pid=835 comm="modprobe" lockdown_reason="unsigned module loading" scontext=system_u:system_r:kmod_t:s15:c0.c1023 tcontext=system_u:system_r:kmod_t:s15:c0.c1023 tclass=lockdown permissive=1 >type=AVC msg=audit(1745483530.622:43): avc: denied { watch } for pid=834 comm="NetworkManager" path="/usr/lib/firmware" dev="dm-0" ino=36301 scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=1 >type=AVC msg=audit(1745483530.625:45): avc: denied { watch } for pid=834 comm="NetworkManager" path="/run/systemd/seats" dev="tmpfs" ino=519 scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir permissive=1 >type=AVC msg=audit(1745483530.626:46): avc: denied { watch } for pid=834 comm="NetworkManager" path="/run/systemd/sessions" dev="tmpfs" ino=520 scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=1 >type=AVC msg=audit(1745483530.626:47): avc: denied { watch } for pid=834 comm="NetworkManager" path="/run/systemd/machines" dev="tmpfs" ino=522 scontext=system_u:system_r:NetworkManager_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=dir permissive=1 >type=AVC msg=audit(1745483530.866:51): avc: denied { watch } for pid=855 comm="crond" path="/var/spool/cron" dev="dm-0" ino=889648 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir permissive=1 >type=AVC msg=audit(1745483530.866:52): avc: denied { watch } for pid=855 comm="crond" path="/etc/cron.d" dev="dm-0" ino=34259913 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=1 >[root@anolis810 ~]# >[root@anolis810 ~]# uname -a >Linux anolis810 5.10.134-18.an8.x86_64 #1 SMP Fri Dec 13 16:32:58 CST 2024 x86_64 x86_64 x86_64 GNU/Linux >[root@anolis810 ~]# audit2allow < /var/log/audit/audit.log >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_security_class: unrecognized class lockdown >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit >libsepol.sepol_string_to_av_perm: could not convert watch to av bit > > >#============= fsadm_t ============== >allow fsadm_t nvme_device_t:blk_file { ioctl open read }; > >#============= kmod_t ============== >allow kmod_t self:lockdown integrity; > >#============= staff_t ============== >allow staff_t admin_home_t:file setattr; >allow staff_t auditd_log_t:dir { open read search }; >allow staff_t auditd_log_t:file { ioctl open read }; >allow staff_t security_t:security read_policy; > >#============= tuned_t ============== >allow tuned_t NetworkManager_t:dir { getattr open read search }; >allow tuned_t NetworkManager_t:file { getattr ioctl open read }; >allow tuned_t auditd_t:dir { getattr open read search }; >allow tuned_t auditd_t:file { getattr ioctl open read }; >allow tuned_t chronyd_t:dir { getattr open read search }; >allow tuned_t chronyd_t:file { getattr ioctl open read }; >allow tuned_t crond_t:dir { getattr open read search }; >allow tuned_t crond_t:file { getattr ioctl open read }; >allow tuned_t firewalld_t:dir { getattr open read search }; >allow tuned_t firewalld_t:file { getattr ioctl open read }; >allow tuned_t init_t:dir read; >allow tuned_t init_t:file { getattr ioctl open read }; >allow tuned_t irqbalance_t:dir { getattr open read search }; >allow tuned_t irqbalance_t:file { getattr ioctl open read }; >allow tuned_t kernel_t:dir { getattr open read search }; >allow tuned_t kernel_t:file { getattr ioctl open read }; >allow tuned_t policykit_t:dir { getattr open read search }; >allow tuned_t policykit_t:file { getattr ioctl open read }; >allow tuned_t sshd_t:dir { getattr open read search }; >allow tuned_t sshd_t:file { getattr ioctl open read }; >allow tuned_t syslogd_t:dir { getattr open read search }; >allow tuned_t syslogd_t:file { getattr ioctl open read }; >allow tuned_t system_dbusd_t:dir { getattr open read search }; >allow tuned_t system_dbusd_t:file { getattr ioctl open read }; >allow tuned_t systemd_hostnamed_t:dir { getattr open read search }; >allow tuned_t systemd_hostnamed_t:file { getattr ioctl open read }; >allow tuned_t systemd_logind_t:dir { getattr open read search }; >allow tuned_t systemd_logind_t:file { getattr ioctl open read }; >allow tuned_t tuned_etc_t:file write; >allow tuned_t udev_t:dir { getattr open read search }; >allow tuned_t udev_t:file { getattr ioctl open read }; >[root@anolis810 ~]#
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1334">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 20657
: 1334